In a live webinar today, Kaspersky Lab experts presented their review of Q2 2018 advanced persistent threat (APT) activity. In addition to charting the latest campaigns, tools and techniques deployed by established threat actors, Vicente Diaz and Costin Raiu, security researchers in Kaspersky Lab’s global research and analysis team, also discussed the reawakening of previously quiet groups, revealing that Asia was the epicenter of APT activity during Q2 2018.
Some of the many threat actors watched were Lazarus and its subgroups BlueNoroff and Andariel. While BlueNoroff tended to target financial institutions, Andariel specialized in nonfinancial institutions; both are financially motivated. As the geopolitical situation continues to evolve between North and South Korea, researchers are unsure what the new role of Lazarus will be.
Lazarus groups remained active and were detected by McAfee, which reported the Bankshot attack against Turkish financial institutions. Also in Q2, ESET detected that casinos in Latin America were targeted and then followed by destructive attacks. Kaspersky’s own telemetry revealed attacks on financial institutions in Asia.
Manuscrypt was the tool of choice in many recent attacks, and in June US Cert warned of a new version of this malware, formerly known as FALL CHILL and now dubbed TYPEFRAME.
Researchers also noted relatively high activity from the Scarcruft and DarkHotel APT. Scarcruft, also known as Group 123 and Reaper, was actively using a new malware and a new backdoor called Poorweb throughout Q2. The group’s activity indicated an increase in its capabilities. While researchers initially suspected the group being responsible for CVE-2018-8174 announced by Qihoo 360, they later confirmed that this second zero day was a different activity group called DarkHotel.
These two groups, while different, overlap in many ways.
The LuckyMouse APT, also known as APT27 and Emissary Panda abused National Data Centers in Asia, planting waterholes in high profile websites. Researchers observed activity from multiple Chinese-speaking actors targeting Mongolia over the last 10 months, which they suspect is not coincidental, thought they are not sure if the activity is coordinated.
A VPNFilter campaign discovered by researchers from Cisco Talos targeted over half a million domestic networking hardware and storage devices all over the world. It affected a large set of hardware vendors using a capability which creates the possibility of infecting computers behind the compromised hardware through traffic injection. The FBI attributes this activity to Sofacy/Sandworm (BlackEnergy APT) actors.
“The second quarter of 2018 was very interesting in terms of APT activity, with a few remarkable campaigns that remind us how real some of the threats we have been predicting over the last few years have become,” said Vicente Diaz, principal security researcher, Kaspersky Lab global research and analysis team.
“In particular, we have repeatedly warned that networking hardware is ideally suited to targeted attacks, and we have highlighted the existence and spread of advanced activity focusing on these devices.”